Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.
NetFlow version 9, the latest Cisco IOS NetFlow innovation, is a flexible and extensible method to record network performance data. It is the basis of a new IETF standard. Cisco is currently working with a number of partners to provide customers with comprehensive solutions for NetFlow-based, planning, monitoring and billing.

Counter with length N x 8 bits for bytes for the number of bytes exported by the Observation Domain

TOTAL_PKTS_EXP

41

unsigned64

Counter with length N x 8 bits for bytes for the number of packets exported by the Observation Domain

TOTAL_FLOWS_EXP

42

unsigned64

Counter with length N x 8 bits for bytes for the number of flows exported by the Observation Domain

IPV4_ROUTER_SC

43

ipv4Address

The router shortcut address i.e. address of router bypassed by a switch (specific for Catalyst architecture)

IPV4_SRC_PREFIX

44

ipv4Address

IPv4 source address prefix. This is a platform-specific field for Catalyst 5000/Catalyst 6000 family. It is used to store the address of a router that is being shortcut when performing MultiLayer Switching.

Fields > 32768 (Enterprise Specific Fields)

The values of the fields listed below are set for compatibility with IPFIX Enterprise Specific numbering.

There's a difference between NFv9 and IPFIX IDs.
IPFIX fields consist of an E (Enterprise) bit, followed by a 15-bit ID.
If topmost bit = "E" then the Field Id is enterprise-specific versus IANA standard.

For simplicity we can consider this as a single 16 bit ID starting with 0x8001 or 32769.

Service Control Solution

Field Type

Value

Len (bytes)

Description

scTag

32769

4

A globally unique value which identifies the type of reporting record.

scTrafficProcessorId

32770

1

Indicates which processing unit generated reporting record. Used for debug/troubleshooting.

scSourceIpSample

32771

1

The last byte of the source IP of the network flow for which the application generated the report.

scDestinationIpSample

32772

1

The last byte of the destination IP of the network flow for which the application generated the report.

scFlowContextId

32773

4

The Flow context ID that the current flow is related to. Used for debug/troubleshooting.

scSubscriberId

32774

64

The subscriber identification string, introduced through the subscriber management interfaces. For unknown subscriber this field may contain an empty string. The string may be padded with 0.

POLICY+id (was: scPackageId)

32775

2

A numeric value used as an Identifier for the policy profile assigned to the reported entity. (was: “The ID of the policy package/profile assigned to the subscriber”.)

scServiceId

32776

4

Indicates the service classification of the reported session

scProtocolId

32777

2

This field contains the unique ID of the protocol associated with the reported session. For port-based protocols (for example, TCP port 666 for DOOM) and IP-protocol-based protocols (for example, IP protocol 1 for ICMP), the PROTOCOL_ID will be the TCP_GENERIC / UDP_GENERIC/ IP_PROTOCOL value, according to the specific base protocol of the transaction. For possible values see SCAS-BB Reference Guide.

scSkipppedSessions

32778

4

The number of unreported sessions since the previous reporting record of this kind

scInitiatingSide

32779

1

On which side of the SCE platform the initiator of the transaction resides: the subscriber side (0) or the network side (1).

scReportTime

32780

4

Ending time stamp of this reporting record. The field is in UNIX time_t format, which is the number of seconds since midnight of 1 January 1970.

scTransactionDurationMillisec

32781

4

Duration, in milliseconds, of the transaction reported in this reporting record.

scTimeFrame

32782

1

The system supports time-dependent policies, by using different rules for different time frames. This field indicates the time frame during which the reporting record was generated. The field’s value can be in the range 0 to 3, indicating which of the four possible time frames was used.

scSessionUpstreamVolume

32783

4

Upstream volume of the transaction, in bytes. The volume refers to the aggregated upstream volume on both links of all the flows bundled in the transaction.

scSessionDownstreamVolume

32784

4

Downstream volume of the transaction, in bytes. The volume refers to the aggregated downstream volume on both links of all the flows bundled in the transaction.

scProtocolSignature

32785

4

This field contains the ID of the protocol signature associated with this session. For possible values see SCAS-BB Reference Guide.

scZoneId

32786

4

This field contains the ID of the zone associated with this session

scFlavorId

32787

4

For protocol signatures that have flavors, this field contains the ID of the flavor associated with this session.

scFlowCloseMode

32788

1

The reason for the end of flow.

scAccessString

32789

128, 256, 512, 1024

A Layer 7 property, extracted from the transaction. The content of this field is record-specific and may include host name, server IP, server name, network name etc. (see Table 2-23 in SCAS-BB 3.0 Reference Guide)

scInfoString

32790

128, 256, 512, 1024

A Layer 7 property, extracted from the transaction. The content of this field is record-specific and may include URL, sender, login name, group name etc. (see Table 2-23 in SCAS-BB 3.0 Reference Guide)

scClientPort

32791

2

For TCP/UDP-based sessions, the port number of the client side (initiator) of the networking session. For non-TCP/UDP sessions, this field has the value zero (0).

scServerPort

32792

2

For TCP/UDP-based sessions, this field contains the destination port number of the networking session. For non-TCP/UDP sessions, this field contains the IP protocol number of the session flow.

scSubscriberCounterId

32793

2

Each service is mapped to a counter. There are 32 subscriber counters.

scServiceUsageCounterId

32794

2

Each service is mapped to a counter. There are 32 counters in the subscriber scope

scBreachState

32795

1

Indicates whether the subscriber's quota was breached: 0, if the quota was not breached and 1, if the quota was breached.

The ITU-U vendor ID of the application. A value of 0xFFFFFFFF indicates that this field was not found in the traffic.

scUpstreamPacketLoss

32815

2

The average fractional upstream packet loss for the session, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFF indicates that this field is undefined (no RTCP flows were opened).

scDownstreamPacketLoss

32816

2

The average fractional downstream packet loss for the session, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFF indicates that this field is undefined (no RTCP flows were opened).

RESERVED1

32817

N/A

Reserved for SCE

RESERVED2

32818

N/A

Reserved for SCE

scAttackId

32819

4

Unique attack ID.

scAttackIp

32820

4

The IP address related to this attack.

scAttackOtherIp

32821

4

The other IP address related to this attack if exists, 0xFFFFFFFF otherwise.

scAttackPortNumber

32822

2

The port number related to this attack, if such exists (if this is an IP scan, for example), or 0xFFFF otherwise in case the info is not relevant (certain types of attacks).

The number of attacks in the current reporting period. Since this report is generated per attack, the value is 0 or 1.

scAttackMaliciousSessions

32827

4

Aggregated number of sessions for the reported attack, for the current reporting period. If the SCE platform blocks the attack, this field takes the value 0xFFFFFFFF.

scUserAgent

32828

64

The user agent field extracted from the HTTP transaction.

scHttpUrl

32829

64

The URL extracted from the HTTP transaction.

scSipDomain

32830

64

SIP: Domain name extracted from SIP header.

scSipUserAgent

32831

64

SIP: User-Agent field extracted from SIP header.

scFlowStart

32832

4

Flow start time.

scFlowType

32833

1

0—All Skype flows

1—Audio (SIP)
2—Video (SIP)

scSessionId

32834

4

SIP: The flow-context ID of the control flow.

Skype: The flow-context ID of the flow.

scUpstreamJitter

32835

4

SIP: The average upstream jitter for the session, taken from the RTCP flow: N/A (0xFFFFFFFF) if RTCP flow is missing.

Skype: N/A (0xFFFFFFFF).

scDownstreamJitter

32836

4

SIP: The average downstream jitter for the session, taken from the RTCP flow: N/A (0xFFFFFFFF) if RTCP flow is missing.

Skype: N/A (0xFFFFFFFF).

scUpstreamPayloadType

32837

1

SIP: The upstream RTP payload type for the session.

Skype: N/A (0xFF). A value of 0xFF indicates that this field was not available (no RTP flows were opened).

scDownstreamPayloadType

32838

1

SIP: The downstream RTP payload type for the session.

Skype: N/A (0xFF). A value of 0xFF indicates that this field was not available (no RTP flows were opened).

scUpstreamAverageJitter

32839

4

The average upstream jitter for the session in units of 1/65.535 millisecond, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFFFFFF indicates that this field is undefined (no RTCP flows were opened).

scDownstreamAverageJitter

32840

4

The average downstream jitter for the session in units of 1/65.535 millisecond, taken from the RTCP flow. (Refer to the note following this table for an explanation of this value.) A value of 0xFFFFFFFF indicates that this field is undefined (no RTCP flows were opened).

scCallDestination

32841

64

The Q931 Alias address of the session destination. A value of N/A indicates that this field was not found in the traffic.

scCallSource

32842

64

The Q931 Alias address of the session source. A value of N/A indicates that this field was not found in the traffic.

scCallType

32843

1

The call type (taken from H225 packet). A value of 0xFF indicates that this field is undefined (no RTP flows were opened).

scMediaChannels

32844

1

The number of data flows that were opened during the session.

scBlockReason

32845

1

Indicates the reason why this session was blocked. For possible values and their interpretation, see Block Reason, page 2-42 of the SCA BB Reference Guide

scBlockRdrCount

32846

4

Total number of blocked flows reported so far (from the beginning of the current time frame).

Site is a user–defined grouping of hosts (IP addresses) and (optionally) data-sources (logical channels of ingress traffic, i.e. observation points) according to one the following or similar supported definition methods, for example:

Network Prefix(es)

Network Prefix(es) + Set of Data Source(s)

Network Prefix(es) + Set of Data Source(s) + Set of VLAN(s)

WAAS data source

NDE/CEF data source + interface(s)

dstSite

42003

4

NAM’s assigned destination site (aggregation of destination hosts)

serverSite

42004

4

NAM’s assigned server site for IAP metrics (can be both traffic source and destination)

clientSite

42005

4

NAM’s assigned client site for IAP metrics (can be both traffic source and destination)

Unused

42006

N/A

Unused.

serverIPv4Address

42007

4

Server address (IPv4) in IAP metrics (can be both traffic source and destination)

clientIPv4Address

42008

4

Client address (IPv4) in IAP metrics(can be both traffic source and destination)

Unused

42009

N/A

Unused.

netEncap

42010

4

Network protocol encapsulation enum

serverIPv6Address

42011

16

Server address (IPv6) in IAP metrics (can be both traffic source and destination)

clientIPv6Address

42012

16

Client address (IPv6) in IAP metrics (can be both traffic source and destination)

Transaction is defined as a pair of an application-layer request from client and the associated response from server. Each request/response consists of one or multiple packets carrying application data

sumTransactionTime

42041

4

Sum of transaction time.

Divide by transactionCountDelta for AVG

maxTransactionTime

42042

4

Maximal transaction time in msec

minTransactionTime

42043

4

Minimal transaction time in msec

sumDataTransmissionTime

42044

4

Sum of data transmission time in msec. Transmission is defined as the data transmission of the server response in a transaction